Within hours of the streaming service's bumpy rollout in the U.S. last week, hackers commandeered user accounts: locking out owners, changing login credentials and, in many cases, selling them for as little as US$3 (NZ$4.60) apiece, a ZDNet investigation revealed.
Disney's new video-on-demand streaming service has been compromised within a week of its being launched, with hacked Disney+ accounts offered for sale online for just $1.
Reusing names and password combinations from previous attacks at other sites can be a "very effective method" for hackers, he said.
It's a tough reality for Disney+, which secured 10-million customers in its first 24 hours, with a subscription fee of $8.99 a month in Canada.
If you are now using the same email and password across multiple websites, it may be worth taking the time out to change them and mix things up.
Hackers are selling Disney+ accounts for as little as $3, the investigation found.
At Code Media, a conference for media executives in Los Angeles this week, operators of rival services praised the Disney+ launch.
Other service users reported finding odd names and profiles linked to their account after logging in.
BBC News contacted Jason Hill, a lead researcher with CyberInt, who said numerous stolen accounts were from people who use the same passwords for different sites. If it works, they steal the account. So if someone steals your account and logs it into enough devices that you hit the limit, then you're out of luck. Which require users to contact Disney's customer service to have it resolved.
Thousands of Disney customers say they have been hacked after signing up to its online streaming service.
Disney says there's no indication of a security breach compromising passwords.
The organization recommended using three "random but memorable" terms in a password, to reduce the risk of having an account breached.
Hackers may have snagged some login credentials from other data leaks and gotten others from users "infected with keylogging or info-stealing malware", according to ZDNet, which was first to reveal the sales of hacked accounts. But Disney has appeared unready to handle the flood of customer inquiries for Disney Plus.